GDPR Consent Data Protection Practitioners #DPPC2018 Conference 2018 - - PowerPoint PPT Presentation

#DPPC2018

GDPR Consent

When is consent appropriate? What is valid consent?

What’s new?

How do we get consent?

Granular and separate

Granular and separate

What does 'granular’ mean?

Separate consent for separate things Separate from your terms and conditions Specific to your purposes and methods

Unambiguous and clear affirmative action

Unambiguous affirmative action

It must be

• bvious that

they intended to consent – there can be no doubt A clear affirmative action means a clear action to

• pt in

No pre-ticked opt-in boxes

No pre-ticked opt-in boxes

Don’t use pre-ticked

• pt-in

boxes… …or rely on any

• ther form of

silence, inactivity, or consent as the default

Identity of the controller

(?)

Identity of the controller

You must name your

• rganisation

…and name any third party controller relying

• n the consent…

(?)

…categories of third parties is not specific enough

Right to withdraw consent

Right to withdraw consent

Individuals have the right to withdraw consent at any time You must tell them this when you get consent

Right to withdraw consent

Individuals have the right to withdraw consent at any time It must be as easy to withdraw consent as to give it

Right to withdraw consent

Individuals have the right to withdraw consent at any time You must stop processing as soon as possible

Clear records of consent

Clear records of consent

You will need to show: When they consented… Who consented… What they were told… How they consented

When is consent appropriate? What is valid consent? What’s new? How do we get consent?

When should you use consent?

There’s no

• ther

appropriate lawful basis You want to give people choice and control Or you are required to have consent

When not to use consent

• When not to use consent?

When not to use consent

If you would do it anyway – asking for consent is misleading and inherently unfair

If you are in a position of power – they may feel they have no choice If consent is a condition of service but not necessary for the service

Remember there are alternatives to consent

Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down by law Legitimate interests

When is consent appropriate? What is valid consent? What’s new? How do we get consent?

“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Consent must be:

Freely given Specific and informed Unambiguous by a clear affirmative action (genuine choice & control) (targeted to your purpose & easy to understand) (a clear signal that they agree)

Explicit consent

Explicit consent

Explicit consent is not very different from regular consent… however… It must be affirmed in a clearly worded statement (either written or oral)…

Explicit consent

Explicit consent is not very different from regular consent… however… It must specifically refer to the element

• f processing that

requires explicit consent…

Explicit consent

Explicit consent is not very different from regular consent… however… A request for explicit consent should be separate from other consent requests

Consent timescales

Consent timescales

There is no specific timescale for expiry of consent in the GDPR How long consent lasts will depend on the context… For example…

Consent timescales

There is no specific timescale for expiry of consent in the GDPR How long consent lasts will depend on the context… The scope of the consent…

Consent timescales

There is no specific timescale for expiry of consent in the GDPR How long consent lasts will depend on the context… The individual’s expectations…

Consent timescales

There is no specific timescale for expiry of consent in the GDPR How long consent lasts will depend on the context… If the processing has evolved beyond the original consent

Consent timescales

There is no specific timescale for expiry of consent in the GDPR And don’t forget consent can be withdrawn at any time – in which case you must stop the processing

When is consent not consent?

For example, it’s not consent: If it’s not obvious that the individual has consented; If you can’t actually prove that you’ve got consent; If you weren’t named as seeking consent from the individual; If you used pre-ticked opt-in boxes

• r other methods where consent is

the default; or If you’re not sure – as that means it’s not unambiguous!

When is consent appropriate? What is valid consent? What’s new? How do we get consent?

Prominent – make it obvious Separate and granular – separate from T&Cs and separate consent for separate things Concise – don’t be vague or long winded and rambling Easy to understand – use plain language and don’t be confusing Your consent request must be:

As a minimum you must: Name your organisation Name any third parties who will be relying on the consent Explain your purposes and activities (what you’ll be doing and why) Tell people they can withdraw consent at any time

Methods of obtaining consent

Methods of obtaining consent

You can use a range of possible methods… For example… The individual signs a consent form…

Methods of obtaining consent

You can use a range of possible methods… For example… The individual ticks an opt-in box, either online or

• ffline…

Methods of obtaining consent

You can use a range of possible methods… For example… The individual says ‘yes’ to a clear oral request for consent

Evidence of consent

Evidence of consent

You need evidence of: Who The individual’s name or other identifier (eg username, session ID)

Evidence of consent

You need evidence of: Who When

eg a dated document, electronic timestamp,

• r a note of the date

and time of the conversation

Evidence of consent

You need evidence of: Who When What

eg a master copy of the document with the consent request,

• r script that was

used at the time

Evidence of consent

You need evidence of: Who When What How

eg a copy of the data capture form, the data submitted online (with timestamp), or a note of oral consent made at the time

Reviewing and refreshing

Reviewing and refreshing

Keep consent under regular review, and refresh if your purposes evolve beyond those

• riginally

specified There is no such thing as ‘evolving consent’ because consent must be specific

Reviewing and refreshing

Keep consent under regular review, and refresh if your purposes evolve beyond those

• riginally

specified Consider whether to automatically refresh at appropriate intervals

Reviewing and refreshing

Keep consent under regular review, and refresh if your purposes evolve beyond those

• riginally

specified How often you need to refresh consent will depend on the particular context and expectations

What about existing DPA consents?

No requirement to automatically refresh all existing DPA consents But you need to make sure that your existing consents meet the GDPR standard If your existing consents don’t meet the GDPR standard you need to: seek fresh GDPR consent; identify a different lawful basis; or stop the processing.

More information is available…

Pick up a leaflet from the hub Check out our lawful basis tool

Visit our website

www.ico.org.uk

@iconews

This slideshow will restart shortly

Subscribe to our e-newsletter at www.ico.org.uk

• r find us on…

#DPPC2018